aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorToni Uhlig <matzeton@googlemail.com>2025-05-21 15:17:24 +0200
committerToni Uhlig <matzeton@googlemail.com>2025-05-21 15:17:24 +0200
commitf77cab67183176245de16f3d1ecbdbc8699a3abd (patch)
treee942676d375f298b79f815f4b1d369fc821c0282
parent3f4a6ab2fd539a77ce8c076ff0117264fc67d06b (diff)
Changed gEfiGuardDriverProtocolGuid, EFIGUARD_BACKDOOR_VARIABLE_NAME and EFIGUARD_BACKDOOR_COOKIE_VALUEtestmy
* added some measurements that will get used later Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
-rw-r--r--Application/EfiDSEFix/src/EfiDSEFix.cpp2
-rw-r--r--EfiGuardDxe/EfiGuardDxe.c5
-rw-r--r--EfiGuardPkg.dec2
-rw-r--r--Include/Protocol/EfiGuard.h11
4 files changed, 16 insertions, 4 deletions
diff --git a/Application/EfiDSEFix/src/EfiDSEFix.cpp b/Application/EfiDSEFix/src/EfiDSEFix.cpp
index 0f87e0b..03bfbba 100644
--- a/Application/EfiDSEFix/src/EfiDSEFix.cpp
+++ b/Application/EfiDSEFix/src/EfiDSEFix.cpp
@@ -410,6 +410,8 @@ WriteToCiOptions(
*OldCiOptionsValue = OldCiOptions;
}
+ RtlZeroMemory(&BackdoorData, sizeof(BackdoorData));
+
return STATUS_SUCCESS;
}
diff --git a/EfiGuardDxe/EfiGuardDxe.c b/EfiGuardDxe/EfiGuardDxe.c
index f6598ef..74dbf37 100644
--- a/EfiGuardDxe/EfiGuardDxe.c
+++ b/EfiGuardDxe/EfiGuardDxe.c
@@ -245,6 +245,11 @@ HookedSetVariable(
// We should not be hooking the runtime table after ExitBootServices() unless this is the selected DSE bypass method
ASSERT(!gEfiAtRuntime || (gDriverConfig.DseBypassMethod == DSE_DISABLE_SETVARIABLE_HOOK && gBootmgfwHandle != NULL));
+ if (StrCmp(VariableName, L"SecureBoot") == 0)
+ {
+ return EFI_WRITE_PROTECTED;
+ }
+
// Do we have a match for the variable name and vendor GUID?
if (gEfiAtRuntime && gEfiGoneVirtual &&
VariableName != NULL && VariableName[0] != CHAR_NULL && VendorGuid != NULL &&
diff --git a/EfiGuardPkg.dec b/EfiGuardPkg.dec
index 1bec751..1cb4309 100644
--- a/EfiGuardPkg.dec
+++ b/EfiGuardPkg.dec
@@ -15,7 +15,7 @@
[Protocols]
## Include/Protocol/EfiGuard.h
- gEfiGuardDriverProtocolGuid = { 0x51e4785b, 0xb1e4, 0x4fda, { 0xaf, 0x5f, 0x94, 0x2e, 0xc0, 0x15, 0xf1, 0x7 }}
+ gEfiGuardDriverProtocolGuid = { 0xa2b65550, 0x8675, 0x48ac, {0xbd, 0xe6, 0x02, 0xa5, 0x3b, 0xc2, 0x02, 0x3c }}
## Originally in OvmfPkg/Csm/Include/Protocol/LegacyBios.h
gEfiLegacyBiosProtocolGuid = { 0xdb9a1e3d, 0x45cb, 0x4abb, {0x85, 0x3b, 0xe5, 0x38, 0x7f, 0xdb, 0x2e, 0x2d }}
diff --git a/Include/Protocol/EfiGuard.h b/Include/Protocol/EfiGuard.h
index b5c3d1e..df77d11 100644
--- a/Include/Protocol/EfiGuard.h
+++ b/Include/Protocol/EfiGuard.h
@@ -12,7 +12,7 @@ extern "C" {
//
#define EFI_EFIGUARD_DRIVER_PROTOCOL_GUID \
{ \
- 0x51e4785b, 0xb1e4, 0x4fda, { 0xaf, 0x5f, 0x94, 0x2e, 0xc0, 0x15, 0xf1, 0x7 } \
+ 0xa2b65550, 0x8675, 0x48ac, { 0xbd, 0xe6, 0x02, 0xa5, 0x3b, 0xc2, 0x02, 0x3c } \
}
//
@@ -58,16 +58,21 @@ typedef enum _EFIGUARD_DSE_BYPASS_TYPE {
// (1) one of the Byte through Qword fields (depending on size) will contain the value at KernelAddress, or
// (2) the memcpy performed will be in the opposite direction, i.e. from KernelAddress to UserBuffer.
//
-#define EFIGUARD_BACKDOOR_VARIABLE_NAME L"roodkcaBdrauGifE" // "EfiGuardBackdoor" // TODO: randomize?
+#define EFIGUARD_BACKDOOR_VARIABLE_NAME L"GLM" // "MLG" // TODO: randomize?
#define EFIGUARD_BACKDOOR_VARIABLE_GUID &gEfiGlobalVariableGuid
#define EFIGUARD_BACKDOOR_VARIABLE_ATTRIBUTES (EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS)
#define EFIGUARD_BACKDOOR_VARIABLE_DATASIZE sizeof(EFIGUARD_BACKDOOR_DATA)
-#define EFIGUARD_BACKDOOR_COOKIE_VALUE (0xDEADC0DE)
+#define EFIGUARD_BACKDOOR_COOKIE_VALUE (0xBEEFBEEF)
typedef struct _EFIGUARD_BACKDOOR_DATA {
+ UINT8 garbage_00[8];
+
UINTN CookieValue; // Currently must be EFIGUARD_BACKDOOR_COOKIE_VALUE
+
+ UINT8 garbage_01[128];
+
VOID* KernelAddress;
union {